> I don't know how NZ banks do it; in the US, they use the phone > number you're calling from. Yes, it's spoofable, but most folks (a) > don't know it, and (b) don't know how.
No, they don't use the phone number to validate anything. I routinely ignore the instructions to "call from your home phone". I call in from random payphones to "activate" my cretin cards, and they activate just fine. Perhaps there's a database record made somewhere with the phone number of that payphone -- but the card is active, and I could be stealing money from it immediately. Note also that their ability to get that phone number depends on the FCC exemption that allows 800-numbers to bypass caller-ID blocking. If the FCC ever comes to its senses (I know, unlikely) then making somebody call an 800-number will not even produce a phone number. John --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com